Venafi announced the results of a survey highlighting the challenges of improving the security of the software supply chain. The survey evaluated the opinions of more than 1,000 IT and development professionals, including 193 executives responsible for both security and software development, and revealed a stark disconnect between the concerns of executives and the action of the leaders.

While 94% of executives believe there should be clear consequences (fines, increased legal liability for negligent companies) for software vendors who fail to protect the integrity of their software creation pipelines , most haven’t done much to change the way they assess the security of the software they buy and the assurances they require from software vendors.

According to ENISA, supply chain attacks, such as SolarWinds, Codecov and Kaseya, are expected to quadruple in 2021. Executives are clearly much more concerned about their vulnerability to software supply chain attacks and aware of the urgent need to act. . However, the survey results show that they are not taking any action that will bring about the change:

• 97% of executives believe software vendors need to improve the security of their software creation and code signing processes.
• 96% of executives believe that software vendors should be required to ensure code integrity in their software updates.

Disconnect between concerns about supply chain attacks and improved security

• 55% of executives say the SolarWinds hack had little or no impact on the concerns they consider when purchasing software products for their business.
• 69% of executives say their company has not increased the number of questions they ask software vendors about the processes used to keep their software secure and verify code.
• Within their own organizations, leaders are divided over responsibility for improving security within their own software development organizations, with 48% saying IT security is responsible and 46% saying teams development are responsible.

“There is a clear mismatch between concerns about supply chain attacks and improving security controls and processes to mitigate that risk,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“Executives are right to be concerned about the impact of attacks on the supply chain. These attacks pose serious risks to any organization that uses commercial software and are extremely difficult to combat. To solve this systemic problem, the entire tech industry must change the way we design and buy software.

“Executives can’t treat this as just another technical problem, it’s an existential threat. C-level executives and boards should demand that software vendors’ security and development teams provide clear assurance about the security of their software.